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Planning  for  Software  Security 
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■  Some  questions  to  aid  in  understanding  security 
risks  to  achieving  project  goals  and  objectives: 

What  is  the  value  we  must  protect? 

To  sustain  this  value,  which  assets  must  be  protected?  Why  must 
they  be  protected?  What  happens  if  they’re  not  protected? 

What  potential  adverse  conditions  and  consequences  must  be 
prevented  and  managed?  At  what  cost?  How  much  disruption  can 
we  stand  before  we  take  action? 

How  do  we  determine  and  effectively  manage  residual  risk  (the  risk 
remaining  after  mitigation  actions  are  taken)? 

How  do  we  integrate  our  answers  to  these  questions  into  an 
effective,  implementable,  enforceable  security  strategy  and  plan? 

■  Help  you  determine  how  much  to  invest,  where  to 
invest,  and  how  fast  to  invest  in  an  effort  to 
mitigate  software  security  risk. 
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Influencing  the  Security  Properties  of 
Software 
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■  Balance  between  engaging  in  defensive  action  and 
thinking  like  an  attacker 


■  Primary  perspective  is  that  of  defender 

Build  in  security  features  to  make  software  resilient  to  attack 
-  Minimize  weaknesses  that  may  lead  to  vulnerability 


■  Balancing  perspective  is  that  of  the  attacker 

-  Strive  to  understand  the  exact  nature  of  the  threat  that  the 
software  is  likely  to  face  so  as  to  focus  defensive  efforts  on 
areas  of  highest  risk. 


■  These  two  perspectives,  working  in  combination, 
guide  the  actions  taken  to  make  software  more 
secure. 
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Addressing  the  Expected  &  Unexpected: 
Avoiding,  Removing,  and  Mitigating 
Weaknesses  -  Software  Security 
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■  “software  security”  focuses  on 
preventing  weaknesses  from 
entering  the  software  in  the  first 
place  or,  if  that  is  unavoidable,  at 
ieast  removing  them  as  early  in  the 
life  cycle  as  possible  and  before  the 
software  is  deployed 


■  Build  Security  In!! 


■  A  wide  variety  of  security-focused 
practices  are  available  to  software 
project  managers  and  their 
development  teams  that  can  be 
seamlessly  integrated  throughout 
any  typical  software  engineering 
SDLC 
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Security 
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Integrating  Security  into  a  typical 
software  development  lifecycle  (SDLC)  is 

evolutionary  not  revolutionary 

It  is  fundamentally  an  extension  of 
good  quality  practices 
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Traditional  Quality  Assurance 
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■  Requirements  Reviews 

■  Design  Reviews 

■  Code  Reviews 

■  Traditional  Testing 


RequirementsDesign 
Review  Review 


Test  Strategy, 
Code  Planning  & 

Review  Execution 


i 
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Extending  Traditional  QA  to  Include 
Security 


HS  SEDI 

Homeland  Security  Systems  Engineering  and 
Development  Institute 


■  Security  Requirements 
Capture  and  Analysis 
including  Abuse  Cases 

■  Architectural  Risk  Analysis 

■  Secure  Code 
Review 

■  Risk-based 
Security  Testing 

■  Penetration  Testing 


security  External 

REQUIREMENTS  REVIEW 


Cope  review 

(tools) 


PENETRATION 

TESTING 


ABUSE  I 
CASES  1 

\l 


RISK 

ANALYSIS 

A 


RISK-BASED 
SECURITY  TESTS 
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What  New  Dimensions  does  Security  Bring? 
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■  Don’t  stop  what  you  are  doing,  just  build  on  it 

■  Evidence  that  software  does  what  it  is  supposed  to  do  and 
nothing  else 

■  Intentional  vs  Unintentional  problems 

■  Testing  Inside-Out  not  just  Outside-In 

■  Recognize  the  attacker’s  perspective 

-  Think  like  the  bad  guys 

■  Risk-based  approach 

-  Software  will  never  be  perfect 

-  Valid  and  valuable  for  QA 

-  Crucial  for  security 
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Software  Security  Critical  Lessons 
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■  Software  security  is  more  than  a  set  of  security  functions 

-  Not  silver-bullet  security  mechanisms 

-  Not  application  of  very  simple  tools 

■  Non-functional  aspects  of  design  are  essential 

■  Security  is  an  emergent  property  of  the  entire  system  (just 
like  quality) 

■  Breaking  stuff  is  important 

■  To  end  up  with  secure  software,  deep  integration  with  the 
SDLC  is  necessary 
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Bottom  Up  Software  Security  Actions 
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■  A  few  relatively  simple  things  can  make  a  tangible 
difference  and  can  help  you  get  started  with 
software  security 

■  Build  checklists  and  use  them 

-Sun’s  Security  at  a  Glance  (SAG)  checklist 

http://www.securecoding.org/companion/checklists/SAG/ 

■  Begin  to  develop  a  resource  set  (e.g.,  portal) 

■  Start  small  with  simple  architectural  risk  analyses 

■  Don’t  forget  to  include  business-case 
justifications 

■  Use  code  scanning  tools 
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Top-Down  Software  Security  Actions 
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■  Think  of  the  problem  as  an  evolutionary  approach 

■  Chart  out  a  strategic  course  of  action  to  get  where 
you  want  to  be 

-  Have  a  gap  analysis  performed 

-  Make  achievable,  realistic  milestones 

-  Think  about  metrics  for  success 

■  Use  outside  help  as  you  need  it 


Homeland 

Security 


11 

The  HS  SEDI  FFRDC  is  managed  and  operated  by  The  MITRE  Corporation  for  DHS. 


BSIMM  Software  Security  Framework 
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The  Software  Security  Framework  (SSF) 

Governance 

Intelligence 

SSDL  Touchpoints 

Deployment 

Strategy  and  Metrics 

Attack  Models 

Architecture  Analysis 

Penetration  Testing 

Compliance  and  Policy 

Security  Features 
and  Design 

Code  Review 

Software  Environment 

Training 

Standards  and 

Requirements 

Security  Testing 

Configuration  Management 
and  Vulnerability  Manage¬ 
ment 
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OpenSAMM 
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Microsoft  Secure  Development  Lifecycle 


HS  SEDI 

Homeland  Security  Systems  Engineering  and 
Development  Institute 


Training 


Requirements 


Design  Implementation  Verification 


Release  Response 
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Best  Practices  Reprise 

■  These  best  practices 
should  be  applied 
throughout  the  lifecycle 

■  Tendency  is  to  “start 
right”  (penetration 
testing)  and  declare 
victory 

-  Not  cost  effective 

-  Hard  to  fix  problems 

■  Start  as  far  to  the  left  as 
possible 
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Abuse  cases 

Security  requirements 
analysis 

Architectural  risk  analysis 

Risk  analysis  at  design 

External  review 

Test  planning  based  on 
risks 

Code  review  with  static 
analysis  tools 

Security  testing 
(malicious  tests) 
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Summary 
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■  Evolutionary  not  Revolutionary 

■  Security  is  an  extension  of  Quality  Assurance 

■  Requires  more  Inside-Out  analysis 

■  Think  like  an  attacker 

■  Risk  Management  is  essential 

■  Think  bottom-up  (tactically)  and  top-down  (strategically) 

■  Understand  your  context  to  know  where  you  want  to  go 

■  Understand  your  current  state  to  know  how  to  get  there 

■  Build  and  follow  a  roadmap  for  gradual  evolution 
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Resources 
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■  Resources  available  with  practice  specifications 

-  Build  Security  In  website  (DHS) 

■  https://buildsecuritvin.us-cert.qov/daisv/bsi/home.html/ 

-  Software  Assurance  Self  Assessment  (BSIMM,  SAFECode,  MS  SDL,  etc.) 

■  https://buildsecuritvin.us-cert.qov/swa/proself  assm.html 

Software  Security  Engineering:  A  Guide  for  Project  Managers  (Book) 

■  http://www.softwaresecurityenqineerinq.com/ 

-  Open  Web  Application  Security  Project  (OWASP) 

■  http://www.owasp.org 


Wednesday,  April  27,  2011 
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Questions? 


Sean  Barnum 
MITRE 

sbarnum@mitre.org 
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